regulation on open banking

1 Joint Resolution No. 1 of May 4th, 2020

Regulation on Open Banking

JOINT RESOLUTION No. 1 OF MAY 4th, 2020

Provides for the implementation of Open Banking

Disclaimer

This document represents the best effort of the Central Bank of Brazil (‘Banco Central do Brasil’ - BCB) to provide an English

version of the original regulation or legislation. Hence, it should not be deemed as an official translation. In case of any

inconsistency, the original version in Portuguese prevails. This version of the regulatory document is not enforceable and BCB

does not warrant that it reflects the complete and current legal framework. Further questions regarding this document’s

content may be forwarded to:

Financial System Regulation Department – Denor

Latest updated in May 2020

[email protected] Phone: +55 61 3414-1503

The Brazilian main financial regulation can be accessed at BCB Website

mailto:[email protected]

https://www.bcb.gov.br/en/financialstability/Brazilian-Prudential-Financial-Regulation

Joint Resolution No. 1 of May 4th, 2020 2

JOINT RESOLUTION No. 1 OF MAY 4th, 2020

Provides for the implementation of Open Banking.

The Central Bank of Brazil, acting pursuant to Article 9 of Law No. 4.595, dated December 31st, 1964, hereby announces that its Board of Governors, in a meeting held on April 22nd, 2020, and the National Monetary Council, in a meeting held on April 30th, 2020, based on Article 4, item VIII of the referred Law, and on Article 9, heading and item II, of Law No 12.865, dated October 9th, 2013,

R E S O L V E D :

CHAPTER I

OBJECT AND SCOPE OF APPLICATION

Article 1. This Joint Resolution provides for the implementation of Open Banking by financial in-

stitutions, payment institutions and other institutions licensed by the Central Bank of Brazil.

CHAPTER II

PRELIMINARY PROVISIONS

Section I

Definitions

Article 2. For purposes of this Joint Resolution, the following definitions apply:

I - Open Banking: a standardized sharing of data and services through the opening and integration of

systems;

II - customer: any natural person or legal entity, except the institutions referred to in article 1, who

maintains a relationship intended for the provision of a financial service or execution of a financial operation with

institutions that are subject to this Joint Resolution, including for making payment transactions;

III - data transmitter institution: participating institution that shares data within the scope of this Joint

Resolution with a recipient institution;

IV - data recipient institution: participating institution that submits a request for data sharing to the

data transmitter institution in order to receive data within the scope of this Joint Resolution;

V - account service provider: participating institution that maintains a customer’s deposit, savings or

pre-paid payment account;

VI - payment initiation service provider: participating institution that provides a payment initiation

service without holding at any moment the funds that were transferred while rendering the service;

VII - payment initiation service: a service that allows for the initiation of a payment transaction

ordered by the customer, with respect to a deposit, savings or pre-paid payment account;

VIII - consent: a free, informed, previous and unequivocal manifestation of will, made through

electronic channels, by which a customer agrees to the sharing of data or services for specific purposes;

IX - interface call: request for data and services presented by a data recipient institution or a payment

initiation service provider to a data transmitter institution or account service provider;

X - method signature: a unique identification of each method, which consists in the definition of the

method’s name, as well as the input and output parameters within a programming function;

XI - successive payment transactions: payment transactions executed between the same payers and

payees according to a given frequency, resulting from a juristic act or legal relationship; and


XII - data aggregation: consolidation of shared data in accordance with the provisions set by this

Joint Resolution for the purpose of providing services to customers.

Section II

Objectives and Principles

Article 3. The following are objectives of Open Banking:

I - encouraging innovation;

II - promoting competition;

III - increasing the efficiency of the National Financial System and the Brazilian Payments System;

and

IV - promoting financial citizenship.

Article 4. The institutions referred to in Article 1, for the purposes of fulfilling the objectives listed

in Article 3, shall pursue their activities ethically and responsibly, in observance of the legal and regulatory frame-

work in effect, as well as observing the following principles:

I - transparency;

II - security and privacy of the data and services shared within the scope of this Joint Resolution;

III - data quality;

IV - non-discriminatory treatment;

V - reciprocity; and

VI - interoperability.

CHAPTER III

SCOPE OF OPEN BANKING

Section 1

Scope of Data and Services

Article 5. Open Banking comprises the sharing of the following, as a minimum:

I - data on:

(a) service channels related to:

1. the institution’s offices and branches;

2. domestic correspondents;

3. electronic channels; and

4. other channels available to customers;

(b) products and services related to:

1. deposit accounts;

2. savings accounts;

3. pre-paid payment accounts;

4. post-paid payment accounts (credit cards);

5. credit operations;

6. foreign exchange operations;


7. acquiring services in payment schemes;

8. term deposit accounts and other investment products;

9. insurance; and

10. open pension funds;

(c) registration of customers and their representatives; and

(d) customer transactions related to:

1. deposit accounts;

2. savings accounts;

3. pre-paid payment accounts;

4. post-paid payment accounts (credit cards);

5. credit operations;

6. payroll accounts, as disciplined by Resolution No. 3,402, dated September 6th, 2006;

7. foreign exchange operations;

8. acquiring services in payment schemes;

9. term deposit account and other investment products;

10. insurance; and

11. open pension funds; and

II - services for:

(a) initiating payment transactions; and

(b) forwarding loan proposals.

§ 1 The participating institutions, as defined by Article 6, may, under the convention referred to in

Article 44, include other data and services in the scope of Open Banking, as long as the principles, requirements for

sharing and the other provisions of this Joint Resolution are observed.

§ 2 For purposes of sharing data on products and services under Item I, subitem “b”, of the heading,

only products and services that are available for contracting through the service channels of the data transmitter

institution, including domestic correspondents, should be considered.

§ 3 Consent must be obtained from the customer, pursuant to Article 10, for purposes of sharing

registration and transactional data and services referred to in Items I, subitems “c” and “d”, and II of the heading,

and those referred to in § 1, in the case of data and services related to the customer.

§ 4 Sharing of registration data referred to in Item I, subitem “c”, of the heading shall include:

I - the data provided directly by the customer or obtained through consulting public or private data-

bases, except:

a) data categorized by legislation as sensitive personal data;

b) credit scores or ratings; and

c) credentials and other information used with the objective of authenticating the customer; and

II - the most recent data available, specifying the date that it was obtained.

§ 5 Sharing of data on transactions as referred to in Item I, subitem “d”, of the heading:

I – shall comprise of data pertaining the customer:


(a) about products and services contracted with or distributed by the data transmitter institution; and

(b) accessible through its electronic service channels, including pre-approved credit limits eventually

agreed upon; and

II – include, as a minimum, the data and transaction history of the past twelve months with respect

to the products and services with valid contracts within that period.

Section II

Participation in Open Banking

Article 6. The following are participants in Open Banking:

I - in the case of the data sharing referred to in Article 5, Item I:

(a) participation is mandatory for Segments 1 (S1) and 2 (S2) institutions, as defined by Resolution

No. 4,553, dated January 30th, 2017; and

(c) participation is voluntary for the other institutions referred to in Article 1;

II - in the case of the payment initiation service referred to in Article 5, Item II, subitem “a”, partici-

pation is mandatory for:

(a) account service provider; and

(b) payment initiation service provider; and

III - in the case of the service of forwarding loan proposals referred to in Article 5, Item II, subitem

“b”, participation is mandatory for institutions referred to in Article 1 that have in place domestic correspondents

agreements which allow for the provision, by electronic means, of the service referred to in Article 8, Item V, of

Resolution No. 3,954, dated February 24th, 2011, observing the implementation deadline mentioned in Article 55,

Item III.

article 55:

§ 1 The sharing of data and services is mandatory, observed the implementation deadlines set by

I - in format that allows public access, in accordance with Article 23, § 2, concerning the data referred

to in Article 5, item I, subitems “a” and “b”; and

II - between participating institutions of each case described in Items I and II of the heading, con-

cerning the data referred to in Article 5, items I, subitems “c” and “d”, and II, subitem “a”.

§ 2 Members of prudential conglomerates that do not provide any of the services associated with the

customer transactional data listed in Article 5, Item I, subitem “d”, are exempted from the mandatory participation

requirement referred to in Item I, subitem “a”, of the heading.

§ 3 The voluntary participation referred to in Item I, subitem “b”, of the heading requires the

availability of the dedicated interface referred to in Article 23 as a data transmitter institution.

Article 7. Participating institutions must register their participation in the participant repository main-

tained by electronic means, as mentioned in Article 44, Item VI.

CHAPTER IV

REQUIREMENTS FOR SHARING

Section I

Sharing request

Article 8. Request for sharing the registration and transactional data and services referred to in Article

5, Items I, subitems “c” and “d”, and II, subitem “a”, comprise the stages of consent, authentication, and confirmation.

Sole Paragraph. The stages referred to in the heading shall:


I - be executed in a secure, prompt, accurate, and convenient manner using the dedicated interface

referred to in Article 23;

II - be performed exclusively through electronic channels;

III - occur successively and without interruption; and

IV - have a duration compatible with their objectives and degree of complexity.

Article 9. Participating institutions shall ensure that information is provided to customers in a clear,

objective and appropriate manner, concerning:

I - the stages referred to in Article 8, heading;

II - the procedures associated with the stages referenced in item I; and

III - redirection to other electronic environments or systems, including those of other institutions,

when applicable.

Section II

Consent

Article 10. A data recipient institution or payment initiation service provider shall identify the

customer and obtain his/her consent prior to the sharing disciplined by this Joint Resolution.

§ 1 The consent mentioned above shall:

I - be requested with the use of clear, objective and suitable language;

II - refer to specific purposes;

III - have a validity period compatible with the purposes referred to in Item II, but limited to twelve

months;

Article 11;

IV - identify the data transmitter institution or account service provider, as the case may be;

V - specify the data or services that will be shared, observing the data groups’ option admitted by

VI - include the customer identification; and

VII – be obtained after this Resolution enters into force, observed the implementation deadlines set

forth in Article 55.

§ 2 Any change in the conditions referred to in Items II to V of § 1 will require new consent from the

customer.

in § 1, Item II.

§ 3 It is forbidden to obtain the customer’s consent:

I - by means of a standard customer agreement;

II - using a form with the agreement field filled out in advance; or

III - based on presumption, without the customer actively manifesting his/her will.

§ 4 Information shall not be shared with the data transmitter institution about the purpose referred to

§ 5 The prohibition set forth in § 4 does not apply to partnership agreements disciplined by Article

36 or in other cases admitted by the legal or regulatory framework in effect.

§ 6 In the case of successive payment transactions, the customer, at his/her discretion, may determine

a longer validity period than the one established in §1, Item III, being possible to make it coincidental with the time

those transactions will cease to exist.


Article 11. The data being shared may be presented to the customer in groups, based on criteria to be

determined in the convention addressed in Article 44.

Sole Paragraph. For purposes of the presentation mentioned in the heading, data groups shall:

I - be identified in a clear, objective and suitable manner;

II - enable the customer to view data in granular form; and

III - be compatible with the data represented in granular form.

Article 12. The data recipient institution shall ensure that the data being shared is pertinent to the

specific purposes referred to in Article 10, § 1, Item II.

Article 13. For the sharing of the payment initiation service referred to in Article 5, Item II, subitem

“a”, in addition to the requirements set forth in § 1 of Article 10, consent shall include the following information, as

a minimum:

I - payment method;

II - value of the payment transaction;

III - information about the payee; and

IV - payment’s date.

§1 In the case of successive payment transactions, consent shall also provide information about the

frequency of transactions and duration, observing the provision set forth in Article 10, § 6.

§ 2 Adherence to the provision in Item II of the heading is optional in the case of successive payment

transactions in which the value of the payment transaction varies.

§ 3 The information required in the heading shall be those strictly necessary to perform the payment

transaction and compatible with the regulation or instrument that governs the payment scheme pertaining to the

respective payment transaction.

§ 4 The payment initiation service provider shall request the customer’s consent for each new

payment transaction, except in the case of successive payment transactions, when the consent’s validity period shall

observe the provisions set forth in Article 10, § 6.

Article 14. Participating institutions shall provide the customer with the following information, as a

minimum, about valid consents related to the sharing they are involved:

I - identification of the participating institutions;

II - the data and services being shared;

III - the validity period of the consent;

IV - the date the consent was requested; and

V - the purpose of the consent, in the case of data recipient institution or payment initiation service

provider.

Article 15. Participating institutions involved in the data or service sharing must ensure that the con-

sent can be revoked at any given time upon the customer’s request, through secure, agile, precise and convenient

procedures, observing the legal and regulatory framework in effect.

§ 1 For purposes of the provision set forth in the heading, institutions shall make available to the

customer the option for revoking consent through at least the same service channel by which it was granted, if said

channel still exists.

§ 2 A data transmitter institution or account service provider is prohibited from proposing to a cus-

tomer the option to revoke a consent, except in the case of justified suspicion of fraud.


§ 3 The revocation referred to in the heading shall be made in observance of the following deadlines:

I - within 1 (one) day of the customer’s request, in the case of the sharing of the payment initiation

service referred to in Article 5, Item II, subitem “a”; and

II - immediately, in other cases.

§ 4 The revocation made in accordance with the deadlines set forth in § 3 shall be reported

immediately to the other participating institutions involved in the sharing.

Section III

Authentication

Article 16. The data transmitter institution or account service provider shall adopt procedures and

controls for authenticating:

I - the customer; and

II - the data recipient institution or payment initiation service provider.

Sole Paragraph. The procedures and controls referred to in the heading must:

I - in the case of customer authentication, be performed only once for each valid consent; and

II - in the case of authentication of a data recipient institution or payment initiation service provider,

be performed once for each interface call.

Article 17. The procedures and controls for customer authentication shall be compatible with those

applicable to customers in order to access the institution’s own electronic channels, considering the following:

I - level of risk;

II - type of data or service to be shared; and

III - service channel;

§ 1 The compatibility referred to in the heading comprises all the following:

I - authentication factors;

II - number of steps involved; and

III - duration of the procedure.

§ 2 The convention referred to in Article 44 may propose recommendations concerning standards

related to the procedures and controls referred to in the heading, with the objective that participating institutions

comply with the provision mentioned in Article 8, Sole Paragraph.

Article 18. The authentication procedures and controls mentioned in Articles 16 and 17 shall be

compatible with the institution’s cyber security policy, as set forth in the regulatory framework currently in effect.

Article 19. Contracting of services to perform the authentication procedures and controls described

in Articles 16 and 17 is permitted, provided that the following provisions are observed:

I - Chapter III and, as applicable, Chapters IV and V of Circular No. 3,909, dated August 16th, 2018,

in the case of payment institutions; and

II - Chapter III and, as applicable, Chapters IV and V of Resolution No. 4,658, dated April 26th, 2018,

in the case of financial institutions and other institutions licensed by the Central Bank of Brazil.

§ 1 In the case of the contractual agreements referred to in the heading, responsibility for observing

this Joint Resolution provisions remains with the data transmitter institution or account service provider.

§ 2 Contracting a data recipient institution or payment initiation service provider in order to

authenticate itself for the purposes of the authentication process referred to in Article 16, Item II, is prohibited.


Section IV

Confirmation of Sharing

Article 20. The data transmitter institution or account service provider must request the customer’s

confirmation concerning the data or service sharing.

Sole Paragraph. The confirmation procedure shall:

I - occur simultaneously with the authentication procedures referred to in Article 16; and

II - ensure the customer can view the details of the shared content, taking into consideration the scope

of data and services and the option for grouping referred to in Articles 5 and 11, as well as the data and services

presented in the consent stage referred to in Article 10, § 1, item V.

Article 21. In the case of registration and transactional data sharing mentioned in Article 5, Item I,

subitems “c” and “d”, the following information, as a minimum, must be provided in detail during confirmation:

I - identification of the data recipient institution;

II - validity period of the consent;

III - data that will be shared, observing the scope of data and services and grouping option referred

to in Articles 5 and 11, as well as the data and services presented during the consent stage referred to in Article 10, §

1, item V.

Article 22. In the case of payment initiation service sharing mentioned in Article 5, Item II subitem

“a”, the following information, as a minimum, must be provided in detail during confirmation:

I - value of the payment transaction;

II - payee information; and

III - date of payment.

§ 1 In the case of successive payment transactions, confirmation shall also indicate the frequency

and duration of transactions, observing the provision presented in Article 10, § 1, Item III, and § 6.

§ 2 Adherence to the provision presented in Item I of the heading is optional in cases of successive

payment transactions in which the value involved varies.

§ 3 The information required in the heading shall be compatible with the regulation or instrument

that governs the payment scheme pertaining to the respective payment transaction.

Section V

Interfaces Dedicated to Sharing

Article 23. Participating institutions shall make dedicated interfaces available for use in the sharing

of data and services covered in this Joint Resolution, standardized in accordance with the convention disciplined in

Article 44.

§ 1 The data and services mentioned in the heading shall be represented in digital media and ma-

chine-readable, in an unrestricted format for its use.

§ 2 In the case of interfaces designed for the sharing of the data referred to in Article 5, item I,

subitems “a” and “b”, participating institutions shall ensure its free access to the general public, with the possibility

of defining interface calls’ limits based in justified and equitable parameters, through the convention referred to in

Article 44,

§ 3º A confederation composed of central credit unions in a three-level system and a central credit

union in a two-level system might assume responsibility, concerning its affiliated firms, to provide the interface

mentioned in the heading.


Article 24. Institutions shall provide other participants with information about the dedicated inter-

faces in a clear, appropriate to the nature of the sharing and accessible manner, including version control and con-

nectivity support.

Article 25. The data transmitter institution or account service provider shall make available to other

participating institutions an alternative mechanism for sharing, in the event the dedicated interfaces are unavailable.

§ 1 Instances of unavailability that create a crisis at the institution must be reported promptly to the

Central Bank of Brazil.

§ 2 In cases that the interface is unavailable and alternatives for sharing are employed, the data trans-

mitter institution or account service provider shall:

I - guarantee that the data recipient institution or payment initiation service provider is not granted

access to data or services other than those consented by the customer; and

II - maintain a record of the accesses and data and services accessed by the alternative mechanism

mentioned in the heading.

Section VI

General Provisions

Article 26. The data transmitter institution or account service provider shall provide timely

information to the data recipient institution or payment initiation service provider concerning the fulfillment of the

sharing request or, if such is the case, the reasons that prevented the sharing from occurring.

§ 1 The convention that is the subject of Article 44 shall standardize the reasons that prevent the

sharing from occurring as referred to in the heading.

§ 2 For the sharing of payment initiation services, the standardization of reasons mentioned in § 1

must be compatible with the regulation or instrument that governs the payment scheme pertaining to the respective

payment transaction.

§ 3 The impossibility of sharing referred to in the heading shall be properly documented,

accompanied by the motives and evidences that supported it.

Article 27. The data recipient institution or payment initiation service provider shall inform the

customer about the fulfillment of the sharing request.

§ 1 The communication alluded to in the heading shall, as a minimum:

I – list the specific purposes referred to in Article 10, § 1, item II, as the data and services expected

to be shared; and

II - be performed through electronic channels.

§ 2 Concerning the sharing of the payment initiation services mentioned in Article 5, item II, subitem

“a”, the communication alluded to in the heading must also be compatible with the regulation or instrument that

governs the payment scheme pertaining to the respective payment transaction.

Article 28. Participating institutions are prohibited from setting up obstacles to the sharing, such as

asking customers to provide additional authorizations, additional validation of the customer’s consent presented to

the data recipient institution or payment initiation service provider, or complicated access instructions.

Article 29. Account service providers are prohibited from restricting, limiting or impeding the

initiation of payment transactions referred to in Article 5, Item II, subitem “a”, as well as from acting

discriminatorily toward it in comparison with the transactions executed directly by the customer through its service

channels.

Article 30. Participating institutions must make available service channels designed to provide tech-

nical support concerning the sharing request presented by other participating institution, including:

I – the stages pertaining to the sharing;


II – the connectivity with the dedicated interfaces;

III – the unavailability of the dedicated interfaces and the alternative mechanism for sharing; and

IV – the reliability, the integrity and availability of the shared data.

Sole paragraph. Participating institutions shall register in the participant repository mentioned in Ar-

ticle 44, item VI, information about how to access the service channels referred to in the heading.

CHAPTER V

RESPONSIBILITIES

Section I

Responsibility for Sharing

Article 31. Participating institutions are responsible for ensuring the reliability, integrity, availabil-

ity, security, and confidentiality with respect to the data and services sharing they are involved, as well as for com-

pliance with the legal and regulatory framework in effect.

Section II

The Director Responsible for the Sharing

Article 32. Participating institutions and the institutions that pursue the partnership contracts referred

to in Article 36 shall designate a director who will be responsible for the sharing process that is the subject of this

Joint Resolution.

Sole Paragraph.The aforementioned director may perform other functions at the institution, provided

there is no conflict of interests.

Article 33. The director responsible for the sharing mentioned in Article 32 must prepare a

semiannual report on the sharing of data and services that the institution has been involved, using June 30 and

December 31 as baseline dates.

§ 1 The report referred to in the caput shall address the following, as a minimum:

I - customer claims concerning the sharing that were recorded during the period, segregating those

arising from fraud from the others, and indicating the measures that were adopted for handling them;

II – the claims presented through the technical support channel, segregating those arising from the

unavailability of the dedicated interfaces from the others;

III - incidents related to security breaches of the shared data and information about the shared

services, as well as the measures taken to prevent and solve them referred to in Articles 38, §3, and 48, Item III, as

the case may be;

IV - the results of the business continuity tests referred to in Article 48, Item IV, considering the

scenarios of unavailability of the interface used for the sharing process that is disciplined by this Joint Resolution;

and

IV - the quantity of interface calls in the period, segmented into customers and type of data and

shared services, as well as indicators referring to the performance of the interfaces that is mentioned in Article 41.

§ 2 The report mentioned in the heading shall be:

I - submitted to the institution’s risks committee, if one exists; and

II - presented to the board of directors or, where there is none, to the institution’s executive board,

no later than 90 days after the baseline date.


Section III

Responsibility for Forwarding Claims

Article 34. The institutions referred to in Article 1 are responsible for handling the claims presented

by their customers, with respect to the data and services sharing they are involved.

Sole Paragraph. The obligation mentioned in the heading also applies to handling the claims

presented by the general public concerning the interface that is referred to in Article 23, § 2.

Article 35. The institutions referred to in Article 1 shall inform their customers that the claims

concerning the sharing of data and services may be submitted through:

I - the institution’s own customer services channels; and

II - the claims-forwarding channels mentioned in Article 44, Item III, in the case of participating

institutions.

Sole Paragraph. The institutions mentioned in Article 1 shall provide information to their customers

about how to access the channels mentioned in the heading.

Section IV

Partnership contract

Article 36. Partnership contracts might be agreed between the institutions referred to in Article 1

and other entities not licensed by the Central Bank of Brazil for the purpose of sharing the data referred to in Article

5, Item I, subitem “c” and “d”, as well as for sharing other data and services that may be included in the scope of

Open Banking pursuant to Article 5, § 1.

§ 1 Sharing the data mentioned in the heading requires the previous and express consent by the

customer.

§ 2 Institutions shall ensure that their risk management policies and strategies under the regulatory

framework in effect include the decision-making criteria for contracting partners for the purpose stated in the head-

ing.

§ 3 In the event of the partnership contracts where sharing with entities located abroad is expected,

the policies and strategies referred to in § 2 shall include the parameters used by that institution to evaluate the

countries and region in each country to which customer data could be shared, observing the legal framework in effect.

§ 4 The policies and strategies referred to in § 2 shall be approved by the board of directors or, where

there is none, by the institution’s executive board.

§ 5 Partnership agreements referred to in the heading are prohibited under the following circum-

stances:

the sharing.

I - between institutions licensed by the Central Bank of Brazil; and

II - with the objective that the partner act on behalf of the contracting institution for the purposes of

§ 6 Partnership agreements referred to in the heading must be preceded by the issuance of a favour-

able statement by the director mentioned in Article 32, observing the requirements set by Article 37.

Article 37. The institutions referred to in Article 1, prior to the contractual agreement that is the

subject of Article 36, shall adopt procedures that include:

I - adopting corporate governance and management practices proportional to the risks to which they

are exposed; and

II - verifying the capability of the prospective partner to ensure:

(a) compliance with the legal and regulatory framework in effect;


(b) access by the contracting institution to information about the effectiveness of the transfer of data

and information about shared services;

(c) confidentiality, integrity, availability, and recoverability of data and information about shared

services;

(d) adherence to certifications required by the contracting institution for executing the sharing, in

cluding those established pursuant to Article 44, Item I, subitem “b”;

(e) access by the contracting institution to reports prepared by a specialized and independent auditing

firm, contracted by the potential partner, related to the procedures and controls used in the sharing;

(f) provision of information and existence of management resources suitable for monitoring the

sharing activity; and

(g) quality of access controls in place to protect data and information about the shared services.

§ 1 The procedures mentioned in the heading, including those concerning information about the

verification process mentioned in Item II, shall be documented and kept up-to-date.

§ 2 The management resources referred to in subitem “f” of Item II of the heading shall include

access to:

I - records of consent given by customers that are stored by the potential partner;

II - confirmation that the data or information about shared services by the contracting institution were

received by the potential partner.

§ 3 The contracting institution shall possess the resources and skills necessary to adequately manage

the partnership, including analysis of information and use of the resources provided pursuant to subitem “f” of Item

II of the heading.

§ 4 The procedures that are the subject of the heading shall include the assessment of the legislation

and regulation in force in countries and regions in each country to which the data or information about shared services

may be shared, observing the parameters set by Article 36, § 3, if the contract allows for sharing with foreign

destinations, as well as of the provisions set by the legal framework in effect.

Article 38. The contract which is the subject of Article 36, must include, as a minimum, the follow-

ing:

I - the object of the contract, which shall include the sharing referred to in Article 36;

II - the roles and responsibilities of the contracting parties;

III - identification of the countries and regions in each country to which the data or information about

shared services may be shared;

IV - adoption of security measures for receiving and archiving by the partner of the data or

information about shared services;

V - access by the contracting institution to:

(a) information provided by the partner in order to verify compliance with the provisions laid down

in Items III and IV;

(b) information concerning certificates and specialized auditing reports mentioned in Article 37, Item

II, subitems “d” and “e”; and

(c) information and management resources that are adequate for monitoring the sharing, as men-

tioned in Article 37, Item II, subitem “f”;

VI - the obligation of the partner to notify the contracting institution about any subcontracting of

services related to the sharing;


VII - the permission for the Central Bank of Brazil to access contracts agreed upon for the sharing,

the documents and information concerning the data or information about shared services, as well as the access codes

to such information;

VIII - the adoption of measures by the contracting institution due to the determination of the Central

Bank of Brazil;

IX - the observance of technological standards and operational procedures established in Article 44,

Item I, subitem “b”;

X - the obligation that the partner keeps the contracting institution permanently informed about even-

tual limitations that may affect the sharing or compliance with the legal and regulatory framework in effect; and

XI - procedures for handling requests forwarded by the customer as referred to in Article 34.

§ 1 It is prohibited to include, in the object of the contract, mentioned in Item 1 of the heading:

I - the provision of services by the partner to customers on behalf of the contracting institution, pro-

vided by the regulation pertaining domestic correspondents; and

II – the sharing of customer’s transactional data referred to in Article 5, item I, subitem “d”, about

products and services agreed upon with other institutions.

§ 2 The roles and responsibilities mentioned in Item II of the heading shall include the duty of the

partner and contracting institution to inform the customer that the partner is not acting on behalf of institution, for

the purposes of the sharing.

§ 3 The obligation mentioned in Item X of the heading shall include communication of security

breaches of shared data and information about shared services, as well as the measures taken by the partner to prevent

and resolve them.

§ 4 The contract mentioned in the heading shall provide the following, in the event that the Central

Bank of Brazil determines the resolution of the contracting institution:

I - the obligation that the partner grants full and unrestricted access to the person responsible for

handling the resolution proceedings with respect to the contracts, agreements, documents and information concerning

the sharing, as well as to the access codes mentioned in Item VII of the heading that are in possession of the partner;

and

II - the obligation to previously notify the person responsible for handling the resolution proceedings

of the partner’s intention to suspend the sharing, at least 30 (thirty) days in advance of the suspension, observing that:

(a) the partner hereby agrees to accept a possible request for an additional term of thirty days to

suspend the sharing, when made by the person responsible for handling the resolution proceedings; and

(b) prior notice must also be given when the suspension is prompted by the default of the contracting

institution.

Article 39. The contracting institution is responsible for ensuring the reliability, availability, secu-

rity, and confidentiality of the sharing referred to in Article 36, as well as for compliance with the legal and regulatory

framework in effect.

Section V

Mechanisms for Monitoring and Control

Article 40. The institutions referred to in Article 1 shall establish monitoring and control mechanisms

in order to ensure the reliability, availability, integrity, security, and confidentiality that are the subject of Articles 31

and 39, as well as the implementation and effectiveness of the requirements that are the subject of this Joint

Resolution, including:

I - definition of auditing processes, tests, and audit trails;


II - definition of metrics and compatible indicators; and

III - identification and correction of eventual deficiencies.

§ 1 The process of defining the mechanisms mentioned in the heading shall include:

I - records of consent, authentication, confirmation, and consent revocation of the sharing that is the

subject of this Joint Resolution, in the case of participating institutions;

II - information concerning the shared data and services, including customer identification creden

tials;

III - notifications received regarding the subcontracting that is the subject of Article 38, Item VI,

when it applies; and

IV - communications received about incidents that are the subject of Article 38, § 3, if any have

occurred.

§ 2 The mechanisms mentioned in the heading shall:

I - be subject to periodic testing by internal auditing personnel, when applicable, compatible with the

institution’s internal controls;

II - be compatible with the institution’s cybersecurity policy, as foreseen by the current regulation;

and

III - ensure that the other institutions involved in the sharing do not have access to the credentials

used by the customer for identification and authentication purposes.

Article 41. The institution’s monitoring and control mechanisms shall encompass indicators pertain-

ing to the performance of the interfaces used for the sharing.

Sole Paragraph. The convention that is the subject of Article 44 may define additional indicators

related to the performance of the interfaces referred to in the heading, as well as mechanisms of transparency and

disclosure of such indicators to the general public.

Section VI

Reimbursement of Expenses between Participating Institutions

Article 42. Reimbursement of expenses between participating institutions resulting from the sharing

of data and services that is the subject of this Joint Resolution is permitted, provided the restrictions on charges set

by Article 43 are observed.

Sole Paragraph. For the purposes of the heading with respect to the data and services referred to in

Article 5, Items I, subitems “c” and “d”, and II, subitem “a”, the participating institutions shall ensure:

I - equal treatment and non-discriminatory access by participating institutions, which presumes,

among other factors, access to updated data neither imposing access timeslots nor assigning priority among partici-

pants; and

II - the definition of the following, through the convention that is the subject of Article 44, based on

justified parameters applied equally to all participating institutions:

(a) limits on interface calls per customer, per institution, per day and per method signature, in the

case of the sharing of data that is the subject of Article 5, Item I, subitems “c” and “d”; and

(b) values and method of charging between participants.

Article 43. Reimbursement of expenses among participating institutions is prohibited:

I - for any interface calls related to the payment initiation services that are the subject of Article 5,

Item II, subitem “a”;

II - for, as a minimum:


(a) two interface calls per month per participating institution, per customer and per method signature,

concerning the registration data disciplined by Article 5, Item I, subitem “c”; and

(b) one-hundred and twenty interface calls per month, per participating institution and per customer,

concerning the transactional data that are the subject of Article 5, Item I, subitem “d.”

CHAPTER VI

THE CONVENTION

Article 44. Participating institutions shall agree to commit to a convention, observing the provisions

of this Joint Resolution concerning features related to:

I - technological and operational standards that encompass, as a minimum:

(a) implementation of dedicated interfaces as discussed in Article 23, including:

1. interface design;

2. protocol for data transmission;

3. format for data exchange; and

4. access controls to the interfaces and data;

(b) security standards and certificates; and

(c) requests for sharing data and services in order to standardize the following:

1. information presented to customers;

2. interaction method with customers; and

3. duration of the stages;

II - standardization of data and services’ layout, including:

(a) data dictionary; and

(b) grouping of data as referred to in Article 11;

III - channels for forwarding customer claims;

IV - the procedures and mechanisms for handling and settling disputes among participating

institutions, including those stemming from requests forwarded through the channels mentioned in Item III;

V - reimbursement between participants;

VI - participant repository;

VII - participant’s rights and obligations; and

VIII - other factors considered necessary to fulfill the provisions set by this Joint Resolution.

§ 1 For purposes of the provision laid down in the heading, a structure responsible for governing the

process shall be set-up in order to guarantee:

I – the representativeness and diversity of participating institutions and segments;

II - non-discriminatory access by participating institutions;

III - mitigation of conflicts of interest; and

IV - sustainability of Open Banking.

§ 2 Information on the standard for implementing the dedicated interfaces referred to in Item I, sub-

item “a” of the heading, including version controls, shall be kept up-to-date and accessible to all participating insti

tutions.


§ 3 The information referred to in § 2 must be kept up-to-date and accessible to the general public,

in what concerns the interfaces mentioned in Article 23, § 2.

Article 45. The rules, procedures, and standards defined in the convention that is the subject of

Article 44 shall be formalized in an instrument signed by participating institutions in the following manner:

I - at individual level;

II - through another institution that holds representational powers over the institution mentioned in

Item I; or

III - through national level representative associations.

§ 1 The instrument that formalizes the convention shall clarify that its provisions are mandatory.

§ 2 The rules, procedures, and standards that are the subject of the heading shall be observed uni-

formly by participating institutions.

§ 3 The instrument that formalizes the convention referred to in § 1, as well as membership terms

associated with new participants, shall remain at the disposal of the Central Bank of Brazil.

Article 46. The Central Bank of Brazil will:

I – establish the initial structure responsible for the governance of Open Banking’s implementation

process in Brazil, based on the directives set by Article 44, § 1; and

II - participate in the drafting of the convention that is the subject of Article 44, in order to guarantee

that the objectives mentioned in Article 3 are fulfilled and the principles set by Article 4 are observed.

Sole Paragraph. In order to define the structure referred to in the heading, item I, the Central Bank

of Brazil shall promote discussions among participating institutions, represented through their national-level repre-

sentative associations.

Article 47. The content of the convention that is the subject of Article 44 shall be submitted for the

Central Bank of Brazil’s approval, with the following deadlines being observed:

I - until September 1st, 2020, in relation to the following:

(a) the provisions of Items III, VI and VII of Article 44; and

(b) the operational procedures and technological and layout standards that are the subject of Items I

and II of Article 44, concerning the sharing of data on service channels, products and services referred to in Article

5, Item I, subitems “a” and “b”, numbers 1 to 5;

II - until March 1st, 2021, in relation to the following:

(a) the provisions of Item IV of Article 44; and

(b) the operational procedures and technological and layout standards referred to in Items I and II of

Article 44, concerning the sharing of registration and transactional data referred to in Article 5, Item I, subitems “c”

and “d,” numbers 1 to 5, as well as the reimbursement of expenses between participating institutions concerning the

sharing of those data;

III - until June 1st, 2021, in relation to the operational procedures and technological and layout stand-

ards referred to in Items I and II of Article 44, concerning the sharing of services that are the subject of Article 5,

Item II; and

IV - until August 2nd, 2021, in relation to the operational procedures and technological and layout

standards referred to in Items I and II of Article 44, concerning:

(a) the sharing of data on products and services referred to in Article 5, Item I, subitem “b,” numbers

6 to 10; and


(b) the sharing of transactional data referred to in Article 5, Item I, subitem “d,” numbers 6 to 11, as

well as the reimbursement of expenses between participating institutions concerning the sharing of those data.

Sole Paragraph. Amendments introduced after the approval of the convention’s content as referenced

in the heading shall be submitted to the Central Bank of Brazil for approval, in the form it establishes.

CHAPTER VII

GENERAL PROVISIONS

Article 48. Institutions shall ensure that their risk management policies, contained in the regulation

in effect, include provisions related to business continuity that address:

I - procedures to be followed in the event the interfaces used for the sharing are unavailable, taking

into consideration the availability of alternatives for the sharing referred to in Article 25;

II - the deadline for resumption or normalization of the interface that is the subject of Item I;

III - the treatment of incidents related to security breaches of the shared data and the measures taken

to prevent and resolve them; and

IV - the performance of business continuity tests, considering the interface unavailability scenarios

mentioned in Item I and the assessment of their results.

Article 49. The following shall remain at the disposal of the Central Bank of Brazil for a period of

five years:

37, § 1.

I - information referring to valid consents, as referred to in Article 14;

II - information referring to revoked consents, as referred to in Article 15;

III - access records, as referred to in Article 25, § 2, Item II;

IV - the documents referred to in Article 26, § 3;

V - the semiannual report, as referred to in Article 33;

VI - the statement referred to in Article 36, § 6;

VII - procedures related to verifying the capability of the prospective partner, as referred to in Article

VIII - the contracts mentioned in Article 38, where the time period referred to in the heading is

calculated starting from the contract’s termination date;

IX - the data, records, and other information related to the monitoring and control mechanisms re-

ferred to in Article 40; and

X - the instrument and the new membership terms referred to in Article 45, § 3.

Sole Paragraph. For the purposes of the provision set forth in Item IX of the heading, the deadlines

shall be calculated starting from the implementation of the aforementioned mechanisms.

CHAPTER VIII

FINAL PROVISIONS

Article 50. Participating institutions might aggregate their customers’ data shared in accordance with

this Joint Resolution, if this activity is related to its corporate purpose and inherent to the achievement of its objectives

Article 51. The Central Bank of Brazil may take the necessary actions in order to accomplish the

fulfillment of the provisions set forth in this Joint Resolution, as well to discipline:

I - the details of the data and services to be shared, as mentioned in Article 5;

II - the parameters related to the:


25, § 1;

(a) unavailability of interfaces, as referred to in Article 25; and

(b) performance of customer’s sharing requests, as referred to in Article 8;

III - the deadlines for communications regarding the instances of unavailability referred to in Article

IV - the certification and other technical requirements to be requested to partners by the contracting

institution about the sharing that are the subject of Article 36;

V - complementary parameters concerning the prohibition on reimbursement between participating

institutions that are the subject of Article 43;

VI - the participation referred to in Article 46;

VII - the form of submitting the convention, as referred to in Article 47;

VIII - the deadlines for resumption or normalization of interface, as referred to in Article 48, Item II;

and

Resolution.

IX – additional requirements and operational procedures necessary for the fulfillment of this Joint

Sole Paragraph. The parameters related to unavailability and performance that may be eventually

defined in accordance with the provision set by the heading, item II, shall be compatible with the regulatory frame-

work in effect, including the regulation or instrument that governs the payment scheme pertaining to the respective

payment transaction.

Article 52. The Central Bank of Brazil may veto or impose restrictions on the sharing that is the

subject of Article 36 of this Joint Resolution if, at any time, encounters a failure in the observance of the provisions

set forth in this Joint Resolution, as well as a limitation on the Central Bank of Brazil’s actions, in which case a

deadline for adjustments shall be set.

Article 53. The institutions referred to in Article 1 that, on the date this Joint Resolution comes into

force, already have contracts with entities not licensed by the Central Bank of Brazil in order to share data and

services under the terms of Article 36, must submit to the Central Bank of Brazil, by November 3, 2020, a schedule

for compliance with the provisions set by Article 38.

Sole Paragraph. The deadline for compliance mentioned in the heading may not exceed December

31, 2021.

read as follows:

Article 54. Resolution No. 3,919, dated November 25th, 2010, amended hereby, shall henceforth

“Article 1 ……………………………...………………………………………………………………

………………………………………………………………………………………………………...

§ 2 ……………………………………………………………………………………………………..

I - in accounts held by the Judiciary and for escrow deposits pursuant to Law No. 8,591, dated De-

cember 13th, 1994;

II - upon withdrawal, as a result of the issuance of boletos or invoices for collection, utility bills and

the like; and

III - for the sharing of data that is the subject of Joint Resolution No. 1, dated May 4th, 2020.” (NR)

“Article 5………………………………………………………………………………………………

………………………………………………………………………………………………………...

XIX - emergency replacement of a credit card;

XX - agricultural auctions; and


lines;

XXI - aggregation of data shared in accordance with Joint Resolution No. 1, dated May 4th, 2020.

………………………………………………………………………………………………...” (NR)

Article 55. This Joint Resolution enters into force on June 1st, 2020, observing the following dead-

I - until November 30th, 2020, for implementing the provisions set by items III and VI of Article 44,

as well as for the necessary requirements for sharing data on service channels, products and services referred to in

Article 5, Item I, subitems “a” and “b”, numbers 1 to 5;

II - until May 31st, 2021, for implementing the provisions set by item IV of Article 44, as well as for

the necessary requirements for sharing registration and transactional data referred to in Article 5, Item I, subitems

“c” and “d”, numbers 1 to 5.

III - until August 30th, 2021, for implementing the necessary requirements for sharing the services

referred to in Article 5, Item II; and

IV - until October 25th, 2021, for implementing the necessary requirements for sharing:

(a) data on products and services referred to in Article 5, Item I, subitem “b”, numbers 6 to 10; and.

(b) transactional data referred to in Article 5, Item I, subitem “d”, numbers 6 to 11.

Roberto de Oliveira Campos Neto

Governor of the Central Bank of Brazil

regulation on open banking

Documents